How did you build your VM process?

Just wondering, how various security professionals are building VM process inside of their organizations. Besides some best practice from Qualys I myself like NIST 800-40v2 standard for VM and patching management. Incident, change and release management processes based on ITIL also come handy while building your VM process.

What other standards, frameworks, best practices did you use to build your VM process?

Due to the position I hold in my company I'm not directly involved with the implementation of the VM program. However, I'm auditing the implementation with QualysGuard. As you mentioned, there are several standards and frameworks, including NIST-800-40. Another you can consider reading about is OCTAVE from CERT. http://www.cert.org/octave

I do not believe one framework fits all, but you should mix and match to create the best tailored VM program for the organization base on the risk profile and cost.

Remember to align your patch management program properly with your VM so they become an unified cycle.

thank you for sharing! I am not familiar with OCTAVE, but I will definitely dig into this. For a long time I had been using CRAMM method that was also referring to VM and patch management as the cornerstones of IT security.

Patch management and VM are inseparable. Furthermore, I see that companies that use ITIL Best Practice also need to align patch management and VM processes with at least incident, change and release management.